New data compiled by Verizon in an addendum to its Data Breach Investigations Report shows that the vast majority of reported and investigated data breaches are the result of external incidents, not insider threats.
“Incidents that result in data compromise and that prompt disclosure or outside investigation are most likely to be perpetrated by external threat agents,” the report says.
The report, which is an update and expansion of Verizon’s annual Data Breach Investigations Report, takes a detailed look at the anatomy of data breaches and how and why they occur. The data that Verizon analyzes in the report is taken from the public data breaches that have been disclosed and investigated. So it does not include information on incidents that didn’t trigger a disclosure or were otherwise not made public.
But what the report does show, is that the data compiled by Verizon matches up very closely with slightly normalized data contained in the DataLoss Database, a massive collection of reported data breach incidents. In order to make the Data Loss Database information map more closely to that gathered by Verizon, the Verizon researchers removed incidents from the DataLoss DB that were the result of “lost assets, improper disposal and postal mail errors.”
The result is that Verizon’s data show that 73 percent of incidents are the result of external events, while the modified DataLossDB data shows that 79 percent of incidents came from external sources. That’s a remarkably similar result. But, as the Verizon researchers point out in the report, it’s not necessarily a conclusive one.
“The modified DataLossDB dataset nearly mirrors our own. We find this fascinating. The agreement between these large historical datasets increases our confidence in the following assertion: Incidents that result in data compromise and that prompt disclosure or outside investigation are most likely to be perpetrated by external threat agents. The assertion should be read carefully as it contains important qualifiers. Neither of these datasets contains unknown
incidents. Neither contains undisclosed incidents that were investigated internally. Perhaps such incidents differ in quality than those contained within our caseload and DataLossDB. Perhaps they don’t. Without data, neither hypothesis can be tested. We must manage according to what we know and then try to prepare for what we do not know. Table 5 represents a large sample of what we know,” the report says.
The data sets compiled by Verizon and the DataLossDB are quite different, due to the nature of the work each organization does. Verizon’s data leans much more toward attacks and malware infections, whereas the DataLossDB mostly comprises incidents that were the result of thefts or mistakes.